| Commit message (Collapse) | Author | Age | Files | Lines |
|\
| |
| |
| |
| | |
nettle/gost: support use GOST DSA support from master branch
See merge request gnutls/gnutls!1183
|
| |
| |
| |
| |
| |
| | |
Use GOST DSA and GOST curves provided by Nettle's master branch.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
pkcs12: do not go try calculating pbkdf2 with 0 iterations
See merge request gnutls/gnutls!1182
|
| |/
| |
| |
| |
| |
| |
| | |
Nettle will abort on a call to pbkdf2 if iterations is 0. Add check to
GnuTLS PKCS12 GOST code to check that iter is not 0.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|/
|
|
| |
Signed-off-by: Bjoern Jacke <bjacke@samba.org>
|
|
|
|
|
|
|
|
|
| |
On unknown curves or illegal parameters, make sure we return the
right error code which will translate to the appropriate alert.
Resolves: #907
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|
|
|
|
|
| |
Use newer format of ecc curve data if curve448 support is detected.
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| | |
x509: include digestParamSet into GOST 512-bit curves A and B params
See merge request gnutls/gnutls!1173
|
| |
| |
| |
| |
| |
| |
| |
| | |
Old implementations do not understand PublicKeyParams with omitted
digestParamSet. So include the field for old 512-bit curves to improve
compatibility with old implementations.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
algorithms: implement X448 key exchange and Ed448 signature scheme
See merge request gnutls/gnutls!984
|
| | |
| | |
| | |
| | | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
| |/
| |
| |
| | |
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | | |
pkcs12: use correct key length when using STREEBOG-512
See merge request gnutls/gnutls!1171
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
PKCS#12 files using GOST HMAC (GOST R 34.11-94 and Streebog) use special
function to generate MAC key. Pass correct key length (fixed to be 32)
when generating PKCS#12 files protected with Streebog (currently it
incorrectly uses 64 there).
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
tls13: fix issues with client OCSP responses
Closes #876
See merge request gnutls/gnutls!1169
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
The TLS1.3 protocol requires the server to advertise an empty
OCSP status request extension on its certificate verify message
for an OCSP response to be sent by the client. We now always
send this extension to allow clients attaching those responses.
Resolves: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
In client side ensure we see a request for OCSP from servers before
sending one.
Relates: #876
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|/
|
|
| |
Signed-off-by: Dmitry Baryshkov <dbaryshkov@gmail.com>
|
|\
| |
| |
| |
| | |
libgnutls: Add system-wide default-priority-string override.
See merge request gnutls/gnutls!1158
|
| |
| |
| |
| | |
Signed-off-by: Dimitri John Ledkov <xnox@ubuntu.com>
|
| |
| |
| |
| | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \
| | |
| | |
| | |
| | | |
Extend GOST priority settings and documentation
See merge request gnutls/gnutls!1160
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
To remove possibility of using wrong length or using strncasecmp()
instead of c_strncasecmp() define PRIO_MATCH(name) macro taking care
about all details.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add GOST-ALL as an alias for CIPHER-GOST-ALL, MAC-GOST-ALL, KX-GOST-ALL,
SIGN-GOST-ALL and GROUP-GOST-ALL.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add shortcuts for GOST ciphers, MACs and KXes. For now they contain only
one item, but this list will be expanded as support for GOST-CTR-ACPKM
ciphersuites will be added.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Add SIGN-GOST-ALL keyword containing all defined GOST signature
algorithms.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
Use c_strncasecmp() instead of just strncasecmp() which can be affected
by locale.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \ \
| | | |
| | | |
| | | |
| | | | |
Fix tests execution when FIPS mode is compiled but not enforced.
See merge request gnutls/gnutls!1164
|
| | |/
| |/|
| | |
| | |
| | |
| | |
| | |
| | | |
In wrap_nettle_pk_generate_keys() set params->algo before calling
pct_test() as GOST sign/verify use that field.
Reported-by: Daiki Ueno
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|
|\ \ \
| |/ /
|/| |
| | |
| | | |
ocsp: set GNUTLS_CERT_INVALID if OCSP response indicates revocation
See merge request gnutls/gnutls!1159
|
| |/
| |
| |
| |
| |
| |
| |
| |
| | |
This makes the OCSP based certificate verification adhere to the
convention used throughout the library: "The 'GNUTLS_CERT_INVALID'
flag is always set on a verification error and more detailed flags
will also be set when appropriate."
Signed-off-by: Daiki Ueno <dueno@redhat.com>
|
|\ \
| | |
| | |
| | |
| | |
| | |
| | | |
doc: clarify thread safeness in gnutls_global_init() [ci skip]
Closes #900
See merge request gnutls/gnutls!1162
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
This documents and clarifies the thread safeness of gnutls_global_init()
and its constraints.
Resolves: #900
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
|\ \ \
| |/ /
|/| |
| | |
| | |
| | |
| | | |
Provide flag to identify sessions that an OCSP response was requested
Closes #829
See merge request gnutls/gnutls!1131
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
return type
Also some documentation updates.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@redhat.com>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That adds the flag GNUTLS_SFLAGS_CLI_REQUESTED_OCSP which can be
checked by a server application to determine whether the
client has requested stapled OCSP responses.
This includes minor cleanups in the status request handling code.
Resolves: #829
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \ \
| |_|/
|/| |
| | |
| | |
| | |
| | | |
x509: reject certificates having duplicate extensions
Closes #887
See merge request gnutls/gnutls!1145
|
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
That is, do not perform the look ups necessary to calculate the value
when it will not be used.
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
According to RFC5280 a certificate must not include more than
one instance of a particular extension. We were previously printing
warnings when such extensions were found, but that is insufficient
to flag such certificates. Instead, refuse to import them.
Resolves: #887
Signed-off-by: Nikos Mavrogiannopoulos <nmav@gnutls.org>
|
|\ \ \
| | | |
| | | |
| | | |
| | | |
| | | |
| | | | |
Fixes dummy getrandom() when errno = EAGAIN.
Closes #892
See merge request gnutls/gnutls!1150
|
| |/ /
| | |
| | |
| | |
| | |
| | | |
Fixes #892.
Signed-off-by: Edward Stangler <estangler@bradmark.com>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
| | |
| | |
| | |
| | | |
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|/ /
| |
| |
| |
| |
| |
| |
| |
| | |
verify-high.c:284:7: runtime error: implicit conversion from type 'size_t'
(aka 'unsigned long') of value 15421545260338 418178 (64-bit, unsigned) to
type 'uint32_t' (aka 'unsigned int') changed the value to 437555714 (32-bit,
unsigned)
Signed-off-by: Tim Rühsen <tim.ruehsen@gmx.de>
|
|\ \
| | |
| | |
| | |
| | | |
Workaround for SChannel limitations
See merge request gnutls/gnutls!1138
|
| | |
| | |
| | |
| | |
| | |
| | |
| | |
| | | |
SChannel-based clients can not send GOST identifiers as a part of
SignatureAlgorithms extension. To mitigate this forcefully enable GOST
signature algorithms if client sends GOST ciphersuite.
Signed-off-by: Dmitry Eremin-Solenikov <dbaryshkov@gmail.com>
|